School District Recovers Most of $3.8M Lost…Banking Trojan to Blame?

A New York school district had US$3.8M pilfered by cyber-criminals, who may have used a common banking trojan to gain valid login credentials to the district’s accounts. The very same trojan making the rounds on social networks like Facebook. The district has recovered most of the money, but is still out nearly US$500K.

An Information Week article last week highlighted some of the facts around the breach involving the Duanesburg Central School District in New York state. The prevailing theory is that the Zeus banking trojan is to blame. Unfortunately, while AV has gotten better at detecting the trojan and the accompanying botnet (zbot), organizations can’t control the transmission vectors, which are increasingly social networking and/or webmail applications. Given the high degree of user trust and huge user populations, malware developers have been targeting social networks aggressively (webmail is a well-established transmission vector). Some of the threats come in the form of social network-specific threats (e.g., koobface, fbaction), but many times they’re re-using existing or older threats delivered in a new, hybrid way – exploiting the trust associated with social networks – which has given threats like Zeus a huge boost. If you can’t control the transmission vector, it’s much harder to manage the threat…especially when users click first, and think later.